Error when you access Microsoft Dynamics CRM using the NLB address : "HTTP Error 401 - Unauthorized"

Symptoms

When you access Microsoft Dynamics CRM using the Network Load Balancing address, a prompt for credentials appears and it is not possible to log in to Dynamics CRM using these credentials. You receive the following error messages:

HTTP Error 401 - Unauthorized


The following conditions are true:

  • The Microsoft Dynamics CRM Application Pool runs under a domain user account.

  • In Internet Information Services (IIS) 7.0 and IIS 7.5 the Enable Kernel-mode authentication option is enabled.



Cause

By default, the IIS 7.0 and IIS 7.5 has the feature Enable Kernel-mode Authentication enabled. This feature decrypts the Kerberos ticket used by a specific application, using the Local Machine Account (Local system) of the IIS server.

When this occurs, the Local Machine Account does not have enough privilege to run Microsoft Dynamics CRM. In addition, when using Service Accounts with Network Load Balancing, the service accounts on each CRM server and the NLB Virtual Node must be the same service account. By default, these accounts will not have Service Principal Names configured.

Resolution

  1. Log in to each Microsoft Dynamics CRM Server.

  2. Install the IIS 7 Admin Pack: http://www.iis.net/extensions/AdministrationPack. (Note: The IIS7 admin pack is installed by default in Windows Server 2008 R2).

  3. On the Start menu, point to Administrative Tools, and then click IIS Manager.

  4. Expand the server, click to expand Sites, and then click Microsoft Dynamics CRM.

  5. Under Management, click Configuration Editor.

  6. For the Section location, click to expand system.webServer,expand Security, expand Authentication, and then click Windows Authentication.

  7. In the From section above Properties, select ApplicationHost.config.

  8. In the properties page, set useAppPoolCredentials to True, and then click Apply.

  9. Restart IIS. 


Next, you must configure two Service Principal Names (SPN) for each Microsoft Dynamics CRM Server and the virtual node. Each Microsoft Dynamics CRM Server and Virtual Node will consist of an SPN for the NetBIOS name and the Fully Qualified Domain Name (FQDN) for the service account being used. For more information on configuring SPNs, see the SPN Checklist for Kerberos Authentication in the More Information section.

More Information

For more information, click the following link to view the article in the Microsoft Knowledge Base:

Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5
http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

useAppPoolCredentials = True with Kerberos Delegation on 2008
http://blogs.technet.com/b/proclarity/archive/2011/03/08/useapppoolcredentials-true-with-kerberos-delegation-on-2008.aspx

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×